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1  Introduction 

Wireless  Sensor  Networks  (WSNs)  are  envisioned  to  be  integrated  into  our  every¬ 
day  lives,  enabling  a  wealth  of  commercial  applications  such  as  environmental  and 
habitat  monitoring,  disaster  relief  and  emergency  rescue  operations,  patient  moni¬ 
toring,  as  well  as  military  applications  such  as  target  detection  and  tracking.  These 
applications  are  facilitated  by  the  collaborative  processing  of  the  physical  proper¬ 
ties  monitored  by  the  sensors,  such  as  temperature,  light,  sound,  humidity,  vibration, 
acceleration,  or  air  quality. 

For  most  applications  of  WSNs,  knowledge  of  the  origin  of  the  sensed  informa¬ 
tion  is  critical  for  taking  appropriate  action  based  on  the  observations.  As  an  exam¬ 
ple,  if  a  smoke  detector  reports  the  break  out  of  a  fire,  this  information,  while  useful, 
is  not  sufficient  to  initiate  proper  action.  On  the  other  hand,  associating  the  report 
from  the  smoke  detector  in  space,  enables  the  timely  response  to  the  reported  event. 
Hence,  the  association  of  the  observations  reported  by  sensors  in  space  increases 
the  quality  of  the  information  aggregated  via  the  sensor  network.  Furthermore,  loca¬ 
tion  is  assumed  to  be  known  in  many  network  operations  such  as  routing  protocols 
where  a  family  of  geographically-aided  algorithms  have  been  proposed  [2],  or  secu¬ 
rity  protocols  where  location  information  is  used  to  prevent  threats  against  network 
services  [13, 16].  In  WSNs,  enabling  sensors  to  associate  their  reports  with  space  is 
achieved  via  the  location  estimation  process  also  known  as  localization. 

The  majority  of  the  localization  techniques  that  are  proposed  for  WSNs,  [4, 12, 
25,  27,  31,  34]  are  designed  to  operate  in  a  benign  environments  with  no  security 
threats.  However,  WSNs  may  be  deployed  in  hostile  environments  and  operating 
unsupervised,  and  hence,  are  vulnerable  to  conventional  and  novel  attacks  [11,30] 
aimed  at  interrupting  the  functionality  of  location-aware  applications  by  exploiting 
the  vulnerabilities  of  the  localization  scheme. 

In  this  chapter,  we  study  the  problem  of  enabling  nodes  of  a  WSN  to  determine 
their  location  even  in  the  presence  of  malicious  adversaries.  This  problem  will  be 
referred  to  as  Secure  Localization.  We  consider  secure  localization  in  the  context  of 
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the  following  design  goals;  (a)  decentralized  implementation,  (b)  resource  efficiency, 
and  (c)  robustness  against  security  threats. 

We  illustrate  a  series  of  attacks  against  localization  schemes  for  WSNs  [11, 13, 
26,  28]  and  propose  SeRLoc,  a  robust  location  estimation  scheme  for  WSNs  that 
achieves  decentralized,  resource-efficient  sensor  localization  even  in  the  presence  of 
adversaries.  We  also  propose  a  high  resolution  localization  algorithm  called  HiRLoc, 
that  improves  the  localization  accuracy  at  the  expense  of  more  complicated  hard¬ 
ware.  Since  sensors  are  hardware  and  power  limited,  SeRLoc  and  HiRLoc  rely  on 
a  two-tier  network  architecture.  The  network  consists  of  a  small  number  of  nodes 
equipped  with  known  coordinates  and  orientation  we  call  locators  and  a  large  num¬ 
ber  of  resource-constrained  sensor  devices  with  unknown  location. 

Moreover,  since  distance  measurements  are  susceptible  to  distance  enlarge¬ 
ment/reduction  [5],  we  do  not  use  any  such  measurements  to  compute  the  sensor 
location.  Instead  sensors  rely  on  beacon  broadcasts  from  the  locator  containing  lo¬ 
calization  information  to  infer  their  location.  We  refer  to  methods  that  are  not  using 
distance  measurements  as  range-independent  localization  schemes  [4, 12,25].  Meth¬ 
ods  for  securing  range-dependent  localization  schemes  are  presented  in  [5,7]. 

Since  range  independent  schemes  do  not  rely  on  any  distance  measurements  to 
estimate  location,  they  are  not  vulnerable  to  range-alteration  attacks.  However  an 
adversary  may  launch  relay  type  of  attacks  such  as  the  wormhole  attack  [13,28],  im¬ 
personation  attacks  such  as  the  Sybil  attack  [1 1,26],  or  compromise  network  entities. 
First,  we  describe  the  impact  of  these  attacks  on  the  location  estimation  process,  and 
then,  we  provide  mechanisms  that  allow  each  sensor  to  determine  its  location  even  in 
the  presence  of  these  threats.  Furthermore,  we  analytically  evaluate  the  probability 
of  success  for  each  type  of  attack  using  spatial  statistics  theory  [9]. 

The  remainder  of  the  chapter  is  organized  as  follows.  In  Section  2  we  illustrate 
different  attacks  against  range-independent  location  estimation  schemes.  In  Section 
3,  we  state  our  network  model.  In  Section  4  we  describe  two  algorithms  for  robustly 
estimating  the  position  of  sensors.  In  Section  5,  we  present  a  threat  analysis.  In  Sec¬ 
tion  6,  we  evaluate  the  performance  of  SeRLoc  and  HiRLoc.  In  Section  7,  we  present 
related  work  and  open  problems.  Section  8  presents  our  conclusions. 


2  Attacks  on  Range-independent  Localization  Schemes 

In  this  section  we  hrst  dehne  the  adversarial  model  considered  for  WSNs.  We  then 
illustrate  different  types  of  attacks  against  range-independent  localization  schemes. 

2.1  Adversarial  Model 

We  assume  that  the  adversary’s  goal  is  to  mislead  sensors  to  falsely  estimate  their 
location.  We  also  assume  that  in  its  effort  to  mislead  the  sensors,  the  adversary  must 
remain  undetected.  We  do  not  consider  Denial-of-Service  (DoS)  attacks  against  the 
localization  scheme.  Such  attacks  can  be  easily  detected,  since  sensors  will  not  be 
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Fig.  1.  The  adversary  records  the  broadcast  of  reference  point  Li ,  tunnels  it  to  the  region  of 
the  sensor  under  attack  and  replays  it.  The  sensors  believes  it  is  within  range  of  Li . 

able  to  compute  their  position.  We  also  do  not  address  attacks  against  the  phys¬ 
ical  medium  such  as  frequency  jamming.  Spread  spectrum  [38]  and  coding  [39] 
are  known  to  be  efficient  mechanisms  to  shield  the  physical  layer  against  jamming 
attacks.  Also,  we  do  not  consider  any  attack  against  the  Medium  Access  Control 
(MAC)  protocol  that  may  lead  to  a  denial-of-service  (DoS).  Secure  location  estima¬ 
tion  schemes  that  take  into  account  jamming  are  presented  in  [5,20]. 

2.2  Attack  Models 

In  range-independent  location  estimation  methods,  nodes  rely  on  localization  infor¬ 
mation  included  in  beacons  transmitted  from  reference  points  in  order  to  estimate 
their  position.  In  order  to  bias  the  location  estimation  process,  the  adversary  attempts 
to  inject  bogus  localization  information  into  the  network.  This  can  be  achieved 
by  performing  a  wormhole  (relay)  attack  [13,28,30],  an  impersonation  (Sybil)  at¬ 
tack  [11,26],  or  compromise  of  reference  points.  In  any  of  those  attacks  we  assume 
that  at  least  some  valid  information  not  altered  by  the  adversary  is  present,  that  al¬ 
lows  the  node  to  estimate  its  position.  We  now  discuss  the  different  attacks  against 
range-independent  localization  schemes  in  more  detail. 

The  Wormhole  (Relay)  Attack 

The  wormhole  attack  is  a  relay  type  of  attack  where  an  adversary  relays  informa¬ 
tion  transmitted  at  one  part  of  the  network  to  some  distant  part  of  the  network,  thus 
violating  the  geometry  of  the  network  and  the  communication  range  constraint.  To 
mount  a  wormhole  attack,  the  adversary  initially  establishes  a  direct  link  referred 
to  as  a  wormhole  link  between  two  points  in  the  network.  Once  the  wormhole  link 
is  established,  the  adversary  eavesdrops  (records)  messages  at  one  end  of  the  link, 
referred  to  as  the  origin  point,  tunnels  them  through  the  wormhole  link  and  replays 
them  at  the  other  end,  referred  to  as  the  destination  point.  The  wormhole  attack  is 
very  difficult  to  detect,  since  it  is  launched  without  compromising  any  host,  or  the 
integrity  and  authenticity  of  the  communication  [13,28]. 
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Fig.  2.  (a)  The  adversary  impersonates  reference  point  Li  to  a  sensor  under  attack.  The  sensor 
is  misled  to  believe  it  is  within  range  of  Li  with  Li  located  at  (X2,  Vi),  (b)  reference  point 
L\  is  compromised  and  falsely  reports  its  location. 

When  an  adversary  launches  a  wormhole  attack  against  the  location  estimation 
process,  sensors  located  at  the  destination  point  of  the  attack  hear  beacons  transmit¬ 
ted  from  reference  points  located  at  the  origin  point  of  the  attack.  Hence,  sensors  are 
misled  to  believe  they  are  within  proximity  of  reference  points  at  the  origin  point 
of  the  attack.  The  bogus  localization  information  is  properly  authenticated  by  the 
sensors  (since  beacons  are  indeed  authentic)  and  can  significantly  bias  the  location 
estimation  at  each  sensor  under  attack. 

One  mechanism  for  detecting  relay  type  of  attacks,  is  synchronizing  the  nodes 
of  the  network  and  timestamping  each  message  [13].  Every  recipient  of  a  message 
compares  the  timestamp  with  the  time  when  the  message  is  received  to  determine 
whether  the  message  has  traveled  a  distance  longer  than  the  communication  range  of 
the  sender.  However,  when  the  RF  medium  is  used  for  transmitting  beacons  synchro¬ 
nization  has  to  be  achieved  with  nanosecond  accuracy  [13].  Using  a  slower  medium 
such  as  the  acoustic  medium  to  transmit  beacons  to  avoid  the  tight  synchronization 
requirement,  leaves  the  system  vulnerable  to  wormholes  when  the  adversary  uses  an 
RF  wormhole  link  to  relay  the  localization  information  in  a  timely  manner. 


2.3  The  Impersonation  (Sybil)  Attack 

In  the  impersonation  attack,  the  adversary  assumes  one  or  multiple  identities  from 
network  nodes  and  impersonates  those  nodes  to  other  entities  within  the  network 
[11,26].  With  respect  to  the  localization  process,  the  adversary  impersonates  refer¬ 
ence  points  and  injects  bogus  localization  information  into  the  network.  Unlike  the 
wormhole  attack,  in  the  Sybil  attack  model,  the  adversary  must  compromise  crypto¬ 
graphic  quantities  necessary  to  prove  its  impersonated  IDs  to  the  nodes  under  attack. 
Hence,  nodes  properly  authenticate  an  adversary  as  a  trustable  source. 

In  Figure  2,  the  adversary  impersonates  locator  Li  to  a  sensor  that  is  not  within 
the  range  of  Li.  The  sensor  under  attack  is  misled  to  believe  that  it  can  hear  loca¬ 
tor  Li  located  at  coordinates  (X2,Y2).  The  adversary  can  modify  the  coordinates 
contained  within  the  beacon  to  any  arbitrary  position  within  the  network. 
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2.4  Compromise  of  Network  Nodes 

The  adversary  may  be  also  able  to  compromise  network  nodes  used  in  the  location 
estimation  process  and  force  them  to  misbehave.  For  example  the  adversary  may 
compromise  reference  points  and  force  them  to  falsely  report  their  positions.  Under 
node  compromise,  we  assume  that  the  adversary  gains  full  control  over  the  behav¬ 
ior  of  the  entity  that  has  been  compromised.  This  assumption  is  significantly  stronger 
than  the  assumption  made  for  launching  an  impersonation  attack  where  the  adversary 
can  only  impersonate  a  node  and  not  alter  its  behavior  (controls  only  the  imperson¬ 
ators). 

We  assume  that  the  sensors  have  to  receive  at  least  some  localization  information 
from  uncompromised  reference  points  in  order  to  perform  any  kind  of  robust  location 
estimation.  In  Figure  2(b),  we  show  the  compromise  of  locator  Li  and  the  broadcast 
of  bogus  localization  information.  The  sensor  is  misled  to  believe  that  locator  Li  is 
located  at  position  (X2,  ^2)- 


3  Network  Model 

In  this  section,  we  state  our  network  model  assumptions  for  building  our  secure  lo¬ 
cation  estimation  algorithm. 

Network  Setup:  We  assume  a  two-tier  network  architecture  where  a  set  of  sen¬ 
sors  S  of  unknown  location  is  randomly  deployed  with  a  density  ps  within  an  area 
.4,  and  a  set  of  reference  points  L  we  call  locators,  with  known  location^  and  orien¬ 
tation,  also  randomly  deployed  with  a  density  p^. 

Antenna  Model:  We  assume  that  sensors  are  equipped  with  omnidirectional  an¬ 
tennas  and  transmit  with  power  Pg,  while  locators  are  equipped  with  M  directional 
antennas  with  directivity  gain  G)l,  and  transmit  with  power  Pl)Ps.  Since  the  locator 
transmission  power  is  higher  than  the  sensor  transmission  power,  the  locator-sensor 
communication  channel  is  asymmetric.  For  the  rest  of  the  chapter,  we  denote  the 
sensor-to-locator  communication  range  as  r,  and  the  locator-to-sensor  communica¬ 
tion  range  as  R. 

System  Parameters:  Since  both  locators  and  sensors  are  randomly  and  inde¬ 
pendently  deployed,  it  is  essential  to  select  the  system  parameters  so  that  sufficient 
number  of  locators  can  communicate  with  sensors.  The  random  deployment  of  the 
locators  with  a  density  =  ^  (|  ■  |  denotes  the  cardinality  of  a  set)  is  equiva¬ 
lent  to  a  sequence  of  events  following  a  homogeneous  Poisson  point  process  of  rate 
Pl  [9].  The  random  deployment  of  sensors  with  a  density  ps  =  is  equivalent  to 
a  random  sampling  of  the  area  A  with  rate  ps  [9].  Making  use  of  Spatial  Statistics 


^  We  presume  that  locators  acquire  their  position  either  through  manual  insertion  or  through 
GPS  receivers  [36].  Though  GPS  signals  can  be  spoofed,  knowledge  of  the  coordinates 
of  several  nodes  is  essential  to  achieve  any  kind  of  node  localization  for  any  localization 
scheme. 
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theory  [9],  if  LHg  denotes  the  set  of  locators  heard  by  a  sensor  s,  that  is,  within  range 
R  from  s,  the  probability  that  s  hears  exactly  k  locators,  given  that  the  locators  are 
randomly  and  independently  deployed,  is  given  by  the  Poisson  distribution; 

=  (1) 

Based  on  (1)  and  the  independent  deployment  of  sensors,  the  probability  for  every 
sensor  to  hear  at  least  k  locators  P{\LHs\)k)  : 

P{\LH,\  >  fc,Vs  e  S')  =  (1  -  y  ^  ^-PL^R^ys\_  ^2) 

Equation  (2)  allows  the  choice  of  pl,  so  that  a  sensor  hears  at  least  k  locators  with 
any  desired  probability. 


4  Secure  Location  Estimation  in  WSN 

In  this  section  we  describe  two  location  estimation  schemes.  We  hrst  present  the 
SEcure  Range-independent  Localization  scheme  (SeRLoc)  that  enables  sensors  to 
determine  their  location  based  on  beacon  information  transmitted  by  the  locators, 
even  in  the  presence  of  security  threats.  We  then  present  the  HIgh-resolution  LOCal- 
izaion  scheme  (HiRLoc)  that  improves  the  location  resolution. 

4.1  Location  Determination  in  SeRLoc 

In  SeRLoc,  sensors  determine  their  location  based  on  the  localization  information 
included  in  beacons  transmitted  by  the  locators.  Eigure  3(a)  illustrates  the  idea  behind 
SeRLoc.  Each  locator  transmits  beacons  at  each  antenna  sector  containing  (a)  the 
locator’s  coordinates  and,  (b)  the  angles  of  the  antenna  boundary  lines  with  respect 
to  a  common  global  axis. 

Eor  each  locator  Li  heard  at  a  sensor  s,  sensor  s  dehnes  the  sector  Si  corre¬ 
sponding  to  the  transmission  of  that  locator  where  s  has  to  be  included.  Combining 
information  from  multiple  locators  it  dehnes  the  Region  Of  Intersection  (ROI),  as 
the  region  where  the  maximum  number  of  sectors  overlap; 

ROI  =  f]S,.  (3) 

The  sensor  s  determines  its  location  as  the  center  of  gravity  (CoG)  of  the  ROI. 
The  CoG  is  the  least  square  error  solution  given  that  a  sensor  can  lie  with  equal 
probability  at  any  point  of  the  ROI.  In  Eigure  3(a),  the  sensor  hears  beacons  from 
locators  Li  ~  L4  and  determines  its  position  as  the  CoG  of  the  ROI.  We  now 
present  the  algorithmic  details  of  SeRLoc. 
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Overlapping  Region 


0  Locator  L 


(b) 


Fig.  3.  (a)  The  sensor  hears  locators  Li  ~  I/4  and  estimates  its  location  as  the  Center  of 
Gravity  (CoG)  of  the  region  of  intersection,  (b)  Determination  of  the  search  area. 


-  Step  1:  Collection  of  localization  information:  In  Step  1,  the  sensor  collects 
information  from  all  the  locators  that  it  can  hear.  A  sensor  s  can  hear  all  locators 
Li  G  L  that  lie  within  a  circle  of  radius  R,  centered  at  s. 

LHs  =  {L,  :  ||s  -  L,\\  <  R,  L,  G  L}.  (4) 

-  Step  2:  Search  area:  In  Step  2,  the  sensor  computes  a  search  area  for  its  loca¬ 
tion.  Let  Xmin,  Ymin,  X^ax,  Ymax  denote  the  minimum  and  the  maximum  locator 
coordinates  form  the  set  LHs- 

Xmin  —  min  Xi^  X^dx  —  max  Xi^  —  min  Yjjiax  —  max  L[5) 

Li^LHs  LiGLHs  LiGLH,  Li^LH, 

Since  every  locator  of  set  LHg  needs  to  be  within  a  range  R  from  sensor  s,  if 
s  can  hear  locator  Li  with  coordinates  {Xmin,Yi),  it  has  to  be  located  left  of  the 
vertical  boundary  of  {Xmin  +  R).  Similarly,  s  has  to  be  located  right  of  the  verti¬ 
cal  boundary  of  (Xmax  —  R),  below  the  horizontal  boundary  of  {Ymin  +  R), 
above  the  horizontal  boundary  of  (Ymax  —  R)-  The  dimensions  of  the  rectangu¬ 
lar  search  area  are  {2R  —  dx)y^{2R  —  dy)  where  dx,dy  are  the  horizontal  distance 
dx  =  Xmax  -  Xmin  <  2i?  and  the  vertical  distance  dy  =  Ymax  -  Ymin  <  2i?, 
respectively.  In  Figure  3(b),  we  show  the  search  area  for  the  network  setup  in  Figure 
3(a). 

-  Step  3:  Overlapping  region-Majority  vote;  In  Step  3,  sensors  determine  the 
ROI  of  all  sectors  they  hear.  Since  it  would  be  computationally  expensive  for  each 
sensor  to  analytically  determine  the  ROI  based  on  the  line  intersections,  we  employ 
a  grid  scoring  system  that  defines  the  ROI  based  on  majority  vote. 

Grid  score  table:  The  sensor  places  a  grid  of  equally  spaced  points  within  the 
rectangular  search  area  as  shown  in  Figure  4(a).  For  each  grid  point,  the  sensor  holds 
a  score  in  a  grid  score  table,  with  initial  values  equal  to  zero.  For  each  grid  point, 
the  sensor  executes  the  grid-sector  test  detailed  in  the  following,  to  decide  if  the 
grid  point  is  included  in  a  sector  heard  by  a  locator  of  set  LHs-  If  the  grid  score 
test  is  positive  the  sensor  increments  the  corresponding  grid  score  table  value  by 
one,  otherwise  the  value  remains  unchanged.  This  process  is  repeated  for  all  locators 
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—  Estimation  Error 


(a) 


(b) 


Fig.  4.  (a)  Steps  3,4:  Placement  of  a  grid  of  equally  spaced  points  in  the  search  area,  and  the 
corresponding  grid  score  table.  The  sensor  estimates  its  position  as  the  centroid  of  all  grid 
points  with  the  highest  score,  (b)  Step  3:  Grid-sector  test  for  a  point  g  of  the  search  area. 

heard  LHs,  and  all  the  grid  points.  The  ROI  is  defined  by  the  grid  points  that  have 
the  highest  score  in  the  grid  score  table.  In  Figure  4(a),  we  show  the  grid  score  table 
and  the  corresponding  ROI. 

Note  that  due  to  the  finite  grid  resolution,  error  is  induced  in  the  calculation.  The 
resolution  of  the  grid  can  be  increased  to  reduce  the  error  at  the  expense  of  energy 
consumption  due  to  the  increased  processing  time. 

Grid-sector  test:  A  point  g  :  {xg,yg)  is  included  in  a  sector  of  angles  [0i,02] 
originating  from  locator  Li  if  it  satisfies  two  conditions: 


C'l  :  llff  —  Li\\  <  R,  C2  ■  0i  <  (p  <  02 


(6) 


where  (p  is  the  slope  of  the  line  connecting  g  with  Li.  Note  that  the  sensor  does  not 
have  to  perform  any  angle-of-arrival  (AOA)  measurements.  Both  the  coordinates  of 
the  locators  and  the  grid  points  are  known,  and,  hence  the  sensor  can  analytically 
calculate  <p.  In  Figure  4(b),  we  illustrate  the  grid-sector  test  with  all  angles  measured 
with  reference  to  the  x  axis. 

-  Step  4:  Location  estimation:  The  sensor  determines  its  location  as  the  centroid 
of  all  the  grid  points  that  define  the  ROI. 


(7) 


where  n  is  the  number  of  grid  points  of  the  overlapping  region,  and  {xg^ ,  Ug- )  are  the 
coordinates  of  the  grid  points. 

4.2  HiRLoc:  High-resolution  Range-Independent  Localization  Scheme 

In  this  section,  we  present  the  High-resolution  Range-independent  Localization 
scheme  (HiRLoc)  that  allows  sensors  to  determine  their  location  with  higher  accu¬ 
racy  compared  to  SeRLoc  at  the  expense  of  more  complex  hardware  at  the  locator 
side. 
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Fig.  5.  (a)  The  sensor  is  located  within  the  intersection  of  the  sectors  Si{j),  S2{j),  which 
defines  the  region  of  intersection  ROI.  (b)  The  ROI  is  reduced  by  the  rotation  of  the  antenna 
sectors  by  some  angle  a. 

4.3  Location  Determination  in  HiRLoc 

In  HiRLoc,  localization  accuracy  in  improved  by  having  locators  either  rotate  their 
antenna  system,  or  change  their  communication  range  in  order  to  define  new  sectors 
where  transmission  takes  place.  Superimposing  the  sectors  indicated  by  the  beacons 
not  only  in  space  but  also  in  time  provides  the  extra  location  resolution.  Based  on 
the  beacon  information  the  sensors  define  the  sector  area  Si{j)  as  the  confined  area 
covered  by  the  transmission  of  a  locator  Li. 

By  collecting  beacons  from  the  locators  Li  G  LHs^  the  sensor  can  compute  its 
location  as  the  ROI  of  all  the  sectors  Si{j).  Note  that  a  sensor  can  hear  beacons 
from  multiple  locators,  and  multiple  beacons  generated  by  the  same  locator.  Hence, 
the  ROI  after  the  round  of  beacon  transmissions  can  be  expressed  as  the  inter¬ 
section  of  all  the  sectors  corresponding  to  the  beacons  available  at  each  sensor; 

\LHs\  m  m  /l^^sl  \ 

Roi{m)  ^  n  n  -  n  n 

i=l  j=0  j=0  \  i=l  / 

Since  the  ROI  indicates  the  confined  region  where  the  sensor  is  located,  reducing  the 
size  of  the  ROI  leads  to  an  increase  in  the  localization  accuracy.  Based  on  equation 
(8),  we  can  reduce  the  size  of  the  ROI  by,  (a)  reducing  the  size  of  the  sector  areas 
Si{j)  and,  (b)  increase  the  number  of  intersecting  sectors  Si{j). 

In  HiRLoc,  reduction  of  the  ROI  is  achieved  by  exploiting  the  temporal  dimen¬ 
sion.  The  locators  provide  different  localization  information  at  consecutive  beacon 
transmissions  by,  (a)  varying  the  direction  of  their  antennas  and,  (b)  varying  the  com¬ 
munication  range  of  the  transmission  via  power  control.  We  now  explore  how  both 
these  methods  lead  to  the  reduction  of  the  ROI. 

1.  Varying  the  antenna  orientation:  The  locators  are  capable  of  transmitting 
at  all  directions  (omnidirectional  coverage)  using  multiple  directional  antennas.  Ev¬ 
ery  antenna  has  a  specific  orientation  and  hence  corresponds  to  a  fixed  sector  area 
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Fig.  6.  Locator  Li  is  equipped  with  three  directional  antennas  of  beamwidth  ^  each.  The 
transmission  of  beacons  at  each  sector,  followed  by  antenna  rotation  by  followed  by  a 
transmission  of  update  beacons,  is  equivalent  to  equipping  L\  with  six  directional  antennas  of 
beamwidth 


Si{j).  The  antenna  orientation  is  expressed  by  the  angle  information  contained  in  the 
beacon  9i{j)  =  {di,i{j),  0i,2(j)}j  where  0i^i{j),9i^2{j)  denote  the  lower  and  upper 
bounds  of  the  sector  Si{j). 

Instead  of  reducing  the  size  of  the  intersecting  sectors  by  narrowing  the  antenna 
beamwidth,  locators  can  change  the  orientation  of  their  antennas  and  re-transmit  bea¬ 
cons  with  the  new  sector  boundaries.  A  change  in  the  antenna  orientation  can  occur 
either  by  changing  the  orientation  of  the  locators,  or  by  rotation  of  their  antenna  sys¬ 
tem.  A  sensor  collects  multiple  sector  information  from  each  locator  over  a  sequence 
of  transmissions;  Si{j)  —  Si{9i{j),j),j  =  1 ...  Q.  As  expressed  by  equation  (8), 
the  intersection  of  a  larger  number  of  distinct  sectors  leads  to  a  reduction  in  the 
size  of  the  ROI.  As  an  example,  consider  Figure  5  where  a  sensor  s  hears  locators 
Li,L2.  In  Figure  5(a),  we  show  the  first  round  of  beacon  transmissions  by  the  lo¬ 
cators  Li,L2,  and  the  corresponding  ROI{l).  In  Figure  5(b),  the  locators  Li,L2 
rotate  their  antennas  by  an  angle  a  and  transmit  the  second  round  of  beacons  with 
the  new  sector  boundaries.  The  ROI  in  the  two  rounds  of  beacon  transmissions,  can 
be  expressed  as: 

=  S'i(l)  nS'2(l)  ROI{2)  =  ROI{l)nSi{2)nS2{2).  (9) 

The  antenna  rotation  over  time  can  be  interpreted  as  an  increase  on  the  number 
of  antenna  sectors  of  each  locator  via  superposition  over  time.  For  example,  consider 
Figure  6,  where  a  locator  is  equipped  with  three  directional  antennas  of  beamwidth 
^ .  Transmission  of  one  round  of  beacons,  followed  by  antenna  rotation  by  ^  and 
re-transmission  of  the  updated  beacons  is  equivalent  to  transmitting  one  round  of 
beacons  when  locators  are  equipped  with  six  directional  antennas  of  beamwidth  ^ . 

2.  Varying  the  Communication  range:  A  second  approach  to  reduce  the  area 
of  the  ROI,  is  to  reduce  the  size  of  the  intersecting  sectors.  This  can  be  achieved  by 
allowing  locators  to  decrease  their  transmission  power  and  re-broadcast  beacons  with 
the  new  communication  range  information.  In  such  a  case,  the  sector  area  Si{j)  is 
dependent  upon  the  communication  range  Ri{j)  at  the  transmission,  i.e.  Si{j)  = 
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Fig.  7.  (a)  The  sensor  is  located  within  the  intersection  of  the  sectors  Si{j),  S2{j),  which 
defines  the  ROI,  (b)  the  locators  reduce  their  communication  range  and  transmit  updated 
beacons.  While  s  is  outside  the  communication  range  of  L\,  it  can  still  hear  the  transmission 
of  1/2.  The  new  beacon  information  leads  to  the  reduction  of  the  ROI. 


Si{R{j),j).  To  illustrate  the  ROI  reduction,  consider  Figure  7(a),  where  locators 
Li ,  L2  transmit  with  their  maximum  power;  sensor  s  computes:  ROI{l)  =  (1)  n 

52 (1).  In  Figure  7(b),  locators  Li,  L2  reduce  their  communication  range  by  lowering 
their  transmission  power  and  re-transmit  the  updated  beacons.  While  locator  Li  is 
out  of  range  from  sensor  s  and,  hence,  does  not  further  refine  the  sensor’s  location,  s 
can  still  hear  locator  L2  and  therefore,  reduce  the  size  of  the  ROI. 

3.  Hybrid  approach:  The  combination  of  the  variation  of  the  antenna  orien¬ 
tation  and  communication  range  leads  to  a  dual  dependency  of  the  sector  area 
Si{0i{j),  R{j),j)-  Such  a  dependency  can  also  be  interpreted  as  a  limited  mobility 
model  for  the  locators.  For  a  locator  Li  moving  in  a  confined  area,  the  antenna  orien¬ 
tation  and  communication  range  with  respect  to  a  static  sensor  varies,  thus  providing 
the  sensor  with  multiple  sector  areas  Si{j).  The  mobility  model  is  characterized  as 
limited,  since  the  locator  has  to  be  within  the  range  of  the  sensor  for  at  least  a  frac¬ 
tion  of  its  transmissions  in  order  to  provide  the  necessary  localization  information. 
We  now  present  the  algorithmic  details  of  HiRLoc. 

4.4  Securing  the  Beacon  Transmissions 

We  now  describe  the  mechanisms  used  to  secure  the  beacons  transmitted  by  the  lo¬ 
cators. 

Encryption:  All  beacons  transmitted  from  locators  are  encrypted  with  a  globally 
shared  symmetric  key  Kq.  Although  Kq  can  easily  be  compromised  with  the  com¬ 
promise  of  a  single  sensor,  this  solution  is  adopted  for  resource  efficiency  reasons. 
Using  Kq,  Locators  are  able  to  broadcast  the  localization  information,  instead  of 
unicasting  the  information  to  each  sensor.  Stronger  broadcast  authentication  algo¬ 
rithms  known  for  ad  hoc  networks,  require  the  existence  of  a  central  authority  and 
time  synchronization  among  all  nodes  of  the  network  [29].  In  Section  5,  we  show 
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SeRLoc:  Secure  Range-Independent  Localization  Scheme 


L  :  broadcast  Li  :  {  (Xi.Yi)  ||  {61,82)  ||  {H^-^{PWi))  ||  j  ||  IDl^  }ko 
LHs  =  {Li  :  ||s  -  Li  II  <  L}  fl  {H{H"-^  {PWi))  =  H"-^+\PW^)} 
s  :  define  As  =  [X  max  Rf  ^min  +  P,  Xjnax  —  R,  Xmin  +  R] 
for  k=l:res 
for  w=P.res 

g{k,w)  =  {Xg^,yg^)  =  {Xrnax  -R  +  k  ,  Ymax  -R  +  W  ) 

forz  =  1  :  |LiLs| 

‘f{\\9{k,w)  -  L4  <  i?}n{^i  <  ^g{k,w)  <  62} 

GST{k,w)  =  GST{k,w)  +  1 
MGs  =  {g{k,w)  :  {k,w}  =  argmaxGST} 

/  ^  \MGs\  ^  \MGs\ 

S:  (®esi,2/est)=  f  g  ^ 


Fig.  8.  The  pseudocode  of  SeRLoc. 


that  sensors  are  able  to  detect  attacks  even  if  Kq  has  been  compromised,  using  con¬ 
sistency  checks. 

In  addition  to  Kq,  every  sensor  s  shares  a  symmetric  pairwise  key  Kg^Li  with 
every  locator  Li ,  also  preloaded.  Since  the  number  of  locators  deployed  is  relatively 
small,  the  storage  requirement  at  the  sensor  side  is  within  the  storage  constraints  (a 
total  of  |L|  keys).  For  example,  mica  motes  [24]  have  128Kbytes  of  programmable 
flash  memory.  Using  64-bit  RC5  [32]  symmetric  keys  and  for  a  network  with  400 
locators,  a  total  of  3.2Kbytes  of  memory  is  required  to  store  all  the  keys  of  the  sen¬ 
sor  with  every  locator.  In  order  to  save  storage  space  at  the  locator  (locators  would 
have  to  store  l^l  keys),  pairwise  keys  Kg^Lt  are  derived  by  a  master  key  K^.,  using 
a  pseudorandom  function  h  [37],  and  the  unique  sensor  IDg:  Kg^^i  =  (IDg). 

Locator  ID  Authentication:  We  use  the  following  scheme  based  on  efficient  one¬ 
way  hash  chains  [15],  to  provide  locator  ID  authentication.  Each  locator  Li  has  a 
unique  password  PWi,  blinded  with  the  use  of  a  collision-resistant  hash  function 
such  as  SHAl  [37].  Due  to  the  collision  resistance  property,  it  is  computationally 
infeasible  for  an  attacker  to  hnd  a  PWj,  such  that  H{PWi)  =  H{PWj),  PWi  7^ 
PWj.  The  hash  sequence  is  generated  using  the  following  equation: 

H°^PWr,  W  =  H{W-^),  i  = 

with  n  being  a  large  number  and  never  revealed  to  any  sensor.  Each  sensor 
is  preloaded  with  a  table  containing  the  ID  of  each  locator  and  the  corresponding 
hash  value  iL"(PWi).  Eor  a  network  with  400  locators,  we  need  9  bits  to  repre¬ 
sent  locator  IDs.  In  addition,  collision-resistant  hash  functions  such  as  SHAl  [37] 
have  a  160-bit  output.  Hence,  the  storage  requirement  of  the  hash  table  at  any  sen- 
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L  :  broadcast  Li  :  {  ||  ||  i?i(l)} 

s  :  define  LHa  =  {Li  :  ||s  —  Li||  <  -Ri(l)} 

s  :  define  Aa  =  [X  max  ^min  +  -Ri(l),  Ymax  —  Ymin  +  77i(l)] 

s:  Store  S^Si(l):  {  (Xi,  Fi)  ||  (6li,i(l),  6li,2(l))  ||  \/Li  e  LHa 

j  =  1 

for  k  =  1  ■.  Q  —  1 
for  w  =  1  ■.  N  —  1 

j  +  + 

L  reduce  R{j)  =  R{j  -  1)  -  ^ 

L  :  broadcast  Li  :  {  (Xi.F)  ||  {9i,i{j),9,,2U))  II  Mj)} 
s  :  replace  S  ^  Si{j)  :  {  (Xi,^)  ||  (0i,i(j), Si.aO'))  ||  Ri{j)}, 

^ Li  :  ||s  —  Li||  <  Ri[j)  Pi  Li  LHa 
endfor 

j  +  + 

Riij)  =  R^il),  VLiGLHa 
L  rotate  9^{j)  =  {6ii,i(j  -  1)  -f  ^,9i,2{j  -  1)  + 

L  :  broadcast  Li  :  {  (Xi,F)  ||  {9i,i{j),SiAj))  II  ^^0')} 

s  :  Store  5  ^  Si(i)  :  {  (Xi,Yi)  ||  (SiO'),  02(j))  ||  R^{j)},  VLi  :  ||s  -  Li||  < 
R{j)  f]Li€  LHa 
endfor 

s  :  compute  ROI  =  PlUi 


Fig.  9.  The  pseudocode  of  HiRLoc. 


sor  is  8.45Kbytes^.  To  reduce  the  storage  needed  at  the  locators,  we  employ  an 
efficient  storage/computation  method  for  hash  chains  of  time/storage  complexity 
0{\og\n))  [8], 

The  broadcasted  beacon  from  locator  Li  includes  the  hash  value  (PWi) , 
along  with  the  index  j.  Every  sensor  that  hears  the  beacon  accepts  the  message 
only  if  (PWi).  After  verification,  the  sensor  replaces 

H'^-i+^{PWi)  with  (PWi)  in  its  memory  and  increases  the  hash  counter  by 
one  so  as  to  perform  only  one  hash  operation  in  the  reception  of  the  next  beacon  from 
the  same  locator  Li.  The  index  j  is  included  in  the  beacons  so  that  sensors  can  resyn¬ 
chronize  with  the  current  published  hash  value  in  case  of  loss  of  some  intermediate 
hash  values.  The  beacon  of  locator  Li  has  the  following  format: 

L,  :  {  (X„F)  II  (01,02)  II  {H--^{PW,))  II  J  II  /Z9i, 

where  ||  denotes  the  concatenation  operation  and  {m}K  denotes  the  encryption  of 
message  m  with  key  K.  Note  that  our  method  does  not  provide  end-to-end  locator 
authentication,  but  only  guarantees  authenticity  for  the  messages  received  from  loca¬ 
tors  directly  heard  to  a  sensor.  This  condition  is  sufficient  to  secure  our  localization 

^  The  required  storage  at  each  sensor  in  order  to  store  400  64-bit  RC5  keys,  400  160-bit 
SHAl  hash  values  for  secure  communication  with  400  locators  is  now  11.65Kbytes. 
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Fig.  10.  (a)  Wormhole  attack:  an  attacker  records  beacons  in  area  B,  tunnels  them  via  the 
wormhole  link  in  area  A  and  rebroadcasts  them,  (b)  Computation  of  the  common  area  Ac, 
where  locators  are  heard  to  both  s,0. 


scheme  against  possible  attacks.  The  pseudocode  for  SeRLoc  is  presented  in  Figure 
8.  The  pseudocode  for  HiRLoc  is  presented  in  Figure  9. 


5  Threat  Analysis 

In  this  section,  we  show  how  SeRLoc  and  HiRLoc  are  resilient  to  the  attacks  de¬ 
scribed  in  Section  2.  Note  that  our  goal  to  allow  sensors  to  determine  their  location, 
even  in  the  presence  of  attacks  and  not  to  prevent  attacks  that  may  be  harmful  in 
other  network  protocols. 

5.1  The  Wormhole  Attack 
Threat  Model 

In  the  case  of  our  location  estimation  process  an  attacker  launching  a  wormhole  at¬ 
tack  records  the  beacons  transmitted  from  locators  at  the  origin  point  of  the  attack 
and  replays  them  at  the  destination  point,  thus  providing  false  localization  informa¬ 
tion  to  the  sensors  attacked.  In  Figure  10(a),  the  attacker  records  beacons  at  region 
B,  tunnels  them  via  the  wormhole  link  in  region  A,  and  replays  them,  thus  leading 
sensor  s  to  believe  that  it  can  hear  locators  {Li  ^  Lg}. 

Detecting  Wormholes 

In  the  case  of  a  wormhole  attack,  the  cryptography  used  to  secure  the  beacon  trans¬ 
missions,  and  to  authenticate  the  source  of  the  information  is  not  violated.  Worm- 
holes  violate  the  geometry  of  the  network  by  enabling  the  propagation  of  messages 
at  a  distance  longer  than  the  communication  range  [30].  Hence,  in  the  case  of  the 
wormhole  attack,  additional  non-cryptographic  mechanisms  are  needed  to  detect  the 
geometry  violation.  We  now  show  how  a  sensor  can  detect  a  wormhole  attack  using 
two  consistency  check  properties:  the  single  message/sector  per  locator  property  and 
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the  communication  range  constraint  property. 

Single  Message/Sector  per  Locator  Property:  The  origin  point  O  of  the  wormhole 
attack  dehnes  the  set  of  locators  LH^  replayed  to  the  sensor  s  under  attack.  The 
location  of  the  sensor  dehnes  the  set  of  locators  LH^  directly  heard  to  the  sensor  s, 
with  LHg  =  LHl  U  LW^.  Based  on  the  single  message/sector  per  locator  property 
we  show  that  the  wormhole  attack  is  detected  when  LH^  n  LHf  ^  0. 

Lemma  1.  Single  message  per  locator/sector  property:  reception  of  multiple  mes¬ 
sages  authenticated  with  the  same  hash  value  is  due  to  replay,  multipath  effects,  or 
imperfect  sectorization. 

Proof  In  the  absence  of  any  attack,  a  sensor  can  hear  multiple  sectors  due  to  mul¬ 
tipath  effects.  In  addition,  a  sensor  located  at  the  boundary  of  two  sectors  can  also 
hear  multiple  sectors  even  if  there  is  no  multipath  or  attack.  We  assume  that  the  same 
but  fresh  hash  value  is  used  to  authenticate  them  per  beacon  transmission.  Hence, 
sensors  will  only  accept  the  hrst  message  arriving  from  any  sector  of  the  same  loca¬ 
tor,  per  transmission.  Due  to  the  use  of  an  identical  but  fresh  hash  in  all  sectors  per 
transmission,  if  an  adversary  replays  a  message  from  any  sector  of  a  locator  directly 
heard  by  the  sensor  under  attack,  the  sensor  will  have  already  received  the  hash  via 
the  direct  path  and,  hence,  detect  the  attack  and  reject  the  message. 

If  we  consider  reception  of  multiple  messages  containing  the  same  hash  value 
due  to  multipath  effects  or  imperfect  sectorization  to  be  a  replay  attack,  a  sensor 
will  always  assume  it  is  under  attack  when  it  receives  messages  with  the  same  hash 
value.  Hence,  an  adversary  launching  a  wormhole  attack  will  always  be  detected  if 
it  replays  a  message  from  locator  Li  G  LHf,  that  is,  if  LHf  n  LHf  ^  0.  In  Figure 
11(a),  As  denotes  the  area  where,  Li  G  LHf  (circle  of  radius  R  centered  at  s),  Ag 
denotes  the  area  where  Li  G  LHf  (circle  of  radius  R  centered  at  O),  and  the  shaded 
area  Ac  denotes  the  common  area  Ac  =  Ag  H  Aq. 

Claim.  The  detection  probability  P{SG)  due  to  the  single  message/sector  per  loca¬ 
tor  property  is  equal  to  the  probability  that  at  least  one  locator  lies  within  an  area  of 
size  Ac,  and  is  given  by: 

P(S'G)  =  1  —  with  Ac  =  2 R^f  —  Rl  sin  f  =  cos~^ — .  (10) 

2R 

with  I  as  the  distance  between  the  origin  point  and  the  sensor  under  attack. 

Proof  If  a  locator  Li  lies  inside  Ac,  it  is  less  than  R  units  away  from  a  sensor  s 
and,  therefore  Li  G  LH^.  Locator  Li  is  also  less  than  R  units  away  from  the  origin 
point  of  the  attack  O,  and  therefore,  Li  G  LHl.  Hence,  if  a  locator  lies  inside  Ac, 
LHl  LHf  f  0,  and  the  attack  is  detected  due  to  the  single  message/sector  per 
locator  property.  The  detection  probability  P{SG)  is  equal  to  the  probability  that  at 
least  one  locator  lies  within  Ac.  If  LHa^  denotes  the  set  of  locators  located  within 
area  Ac  then: 
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Fig.  11.  (a)  Single  message/sector  per  locator  property:  a  sensor  s  cannot  hear  two  messages 
authenticated  with  the  same  hash  value,  (b)  Communication  range  violation  property:  a  sensor 
s  cannot  hear  two  locators  more  than  2R  apart,  (c)  Combination  of  the  two  properties  for 
wormhole  detection. 


P{SG)  =  PULHaJ  >  1)  =  1  -  PULHaJ  =  0)  =  1  -  (11) 


where  can  be  computed  from  Figure  10(b)  to  be: 


Ac  =  2R‘^(j)  —  Rl  sin  cj), 


4>  =  cos 


(12) 


with  ;  =  ||s  —  0\\. 

Figure  12(a)  presents  the  detection  probability  P{SG)  vs.  the  locator  density  pi^ 
and  the  distance  |js  —  0||  between  the  origin  point  and  the  sensor  under  attack,  nor¬ 
malized  over  R.  We  observe  that  if  |js  —  0||  >  2i?,  then  Ac  =  0,  and  the  use  of 
the  single  message/sector  per  locator  property  is  not  sufficient  to  detect  a  wormhole 
attack.  For  distances  |js  —  0||  >  2R,  a  wormhole  attack  can  be  detected  using  the 
following  communication  range  constraint  property. 

Communication  Range  Violation  Property;  Given  the  coordinates  of  node  s,  all 
locators  LHg  heard  by  s  should  lie  within  a  circle  of  radius  i?,  centered  at  s.  Since 
node  s  is  not  aware  of  its  location  it  relies  on  its  knowledge  of  the  locator-to-sensor 
communication  range  R  to  verify  that  the  set  LHs  satisfies  Lemma  2. 

Lemma  2.  Communication  range  constraint  property:  A  sensor  s  cannot  hear  two 
locators  Li,Lj  G  LHg,  more  than  2R  apart,  that  is,  ||Li  —  Lj||  <  2R,  yLi,Lj  € 
LHs. 

Proof.  Any  locator  Li  G  LHg  has  to  lie  within  a  circle  of  radius  R,  centered  at  the 
sensor  s  (area  Ag  in  Figure  11(b)),  \\Li  —  s||  <  R^VLi  G  LHg.  Hence, 

\\L,  -  LjW  =  \\L,  -s  +  s-Lf\<  ||L,  -  s||  +  ||s  -  L,||  <  i?+  i?  =  2R.  (13) 

Using  the  coordinates  of  LHg,  a  sensor  can  detect  a  wormhole  attack  if  the 
communication  range  constraint  property  is  violated.  We  now  compute  the  detec¬ 
tion  probability  P{CR)  due  to  the  communication  range  constraint  property. 
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Claim.  A  wormhole  attack  is  detected  due  to  the  communication  range  constraint 
property,  with  a  probability: 

P{CR)  >  [l  -  ,  A*  =  xyj  tan~^ 

where  x  =  . 

Proof.  Consider  Figure  11(b),  where  ||s  —  0\\  =  2R.  If  any  two  locators  within 
As ,  Ao  have  a  distance  larger  that  2R,  a  wormhole  attack  is  detected.  Though  P{CR) 
is  not  easily  computed  analytically,  we  can  obtain  a  lower  bound  on  P{CR)  by 
considering  the  following  event.  In  Figure  11(b),  the  vertical  lines  defining  shaded 
areas  Aj,  are  perpendicular  to  the  line  connecting  s,  O,  and  have  a  separation  of 
2R.  If  there  is  at  least  one  locator  Li  in  the  shaded  area  Ai  and  at  least  one  locator  Lj 
in  the  shaded  area  Aj,  then  \\Li  —  Lj  ||)2i?  and  the  attack  is  detected.  Note  that  this 
event  does  not  include  all  possible  locations  of  locators  for  which  IjL^  — ||)2i?,  and 
hence  it  yields  a  lower  bound.  If  CTi,Ai,Aj  denotes  the  event  (\LHAi  |)0  n  ILHa^  |)0) 
then. 


P{CR)  =  P{\\L,  -  Lf\)2R,L,,Lj  e  LHs) 
>  PiCRf]CnA,,A,) 

=  P  {CR\  CHa^As)  P(.cnA^,As) 

=  p{cnA,,A,) 


(15) 

(16) 

(17) 

(18) 


where  (15)  follows  from  the  fact  that  the  probability  of  the  intersection  of  two 
events  is  always  less  or  equal  to  the  probability  of  one  of  the  events,  (16)  follows 
from  the  definition  of  the  conditional  probability,  (17)  follows  from  the  fact  that 
when  CHAi.Aj  is  true,  we  always  have  a  communication  range  constraint  violation 
{P{CR  I  CHAi.Aj)  —  1)^  and  (18)  follows  from  the  fact  that  A^,  A_,  are  disjoint 
areas  and  that  locators  are  randomly  deployed. 

We  can  maximize  the  lower  bound  of  P{CR),  by  finding  the  optimal  values 
A* ,  A* .  In  fact  it  can  be  shown  that  the  lower  bound  in  (18)  attains  its  maximum 
value  when  A*  =  maxijAi}  subject  to  the  constraint  Ai  =  Aj  {Ai,  Aj  are  symmet¬ 
ric)  [17].  and  is  given  by: 

A*  =  A*  =  xVp^  -x^-  R^  tan-i  ( f 


and  X  = 


-Oil 


(19) 


Inserting  (19)  into  (18)  yields  the  required  result:  P{CR)  >  (l  —  e  . 

In  Figure  12(b),  we  show  the  maximum  lower  bound  on  P{CR)  vs.  the  loca¬ 
tor  density  pi^,  and  the  distance  ||s  —  0||  normalized  over  R.  The  lower  bound  on 
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Probability  of  detection:  P(SG) 


(a)  (b) 


Fig.  12.  Wormhole  detection  probability  based  on,  (a)  the  single  message/sector  per  locator 
property:  P{SG).  (b)  A  lower  bound  on  the  wormhole  detection  based  on  the  communication 
range  violation  property:  P(CR).  (c)  A  lower  bound  on  the  wormhole  detection  probability 
for  SeRLoc. 


P{CR)  increases  with  the  increase  of  ||s  —  0\\  and  attains  its  maximum  value  for 
||s— 0||  =  4i?when  A.*  =  A*  =  .  For  distances  ||s  — 0||)4i?  a  wormhole  attack 

is  always  detected  based  on  the  communication  range  constraint  property,  since  any 
locator  within  Ao  will  be  more  than  2R  apart  from  any  locator  within  As. 


Detection  Probability  Pdet  of  tbe  Wormbole  Attack:  We  now  combine  the  two 
detection  mechanisms,  namely  the  single  message/sector  per  locator  property  and  the 
communication  range  constraint  property  for  computing  the  detection  probability  of 
a  wormhole  attack. 

Claim.  The  detection  probability  of  a  wormhole  attack  is  lower  bounded  by  P^et  > 

(1  -  +  (1  -  e-P^^^'^e-P^^'^. 

Proof.  In  the  computation  of  the  communication  range  constraint  property,  by  set¬ 
ting  Ai  =  Aj  and  maximizing  Ai  regardless  of  the  distance  ||s  —  0||,  the  areas 
Ai,Aj^  and  Ac  do  not  overlap  as  shown  in  Figure  11(c).  Hence,  the  corresponding 
events  of  finding  a  locator  at  any  of  these  areas  are  independent  and  we  can  derive  a 
lower  bound  on  the  detection  probability  Pdet  by  combining  the  two  properties. 

Pact  =  P{SG  U  CR)  =  P{SG)  +  P{GR)  -  P{SG)P{GR) 

=  P{SG)  +  P{GR)  (1  -  P{SG)) 

>  (1  -  +  (1  -  e-P^^'fe-P^^'^.  (20) 

The  left  side  of  (20)  is  a  lower  bound  on  Pdet  since  P{GR)  was  also  lower  bounded. 

In  Figure  12(c),  we  show  the  lower  bound  on  Pdet  vs.  the  locator  density  and 
the  distance  ||s  —  0||  normalized  over  R.  For  values  of  |js  —  0||)4i?,  Pcr  =  1, 
since  any  Li  G  LHf  will  be  more  than  2R  away  from  any  Lj  G  LH^  and  hence,  the 
wormhole  attack  is  always  detected.  From  Figure  12(c),  we  observe  that  a  wormhole 
attack  is  detected  with  a  probability  very  close  to  unity,  independent  of  the  origin  and 
destination  point  of  the  attack. 


A  lower  bound  ot  P(CR) 
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Attach  to  Closer  Locator  Algorithm  (ACLA) 


s  :  broadcast  {rjs  \\  IDs} 
if  Li  hears  {  rjs  ||  IDs  }  reply 

Li-,  {rjs  II  iXi,Yi)  II  (01,02)  II  (H'^-^PWi))  II  j  II  IDl, 
L'i  ’.first  authentic  reply  from  a  locator. 

LHs  =  {Li  G  LHs  :  sector{Li}  intersects  sector{L'i}} 
s  :  execute  SeRLoc  with  LHs  =  LHs 


Fig.  13.  The  pseudocode  of  ACLA. 


Location  Resolution  Algorithm:  Although  a  wormhole  can  be  detected  using  one 
of  the  two  detection  mechanisms,  a  sensor  s  under  attack  cannot  distinguish  the  set 
of  locators  directly  heard  LH^  from  the  set  of  locators  replayed  LHl  and  hence, 
estimate  its  location.  To  resolve  the  location  ambiguity  sensor  s  executes  the  Attach 
to  Closer  Locator  Algorithm  (ACLA). 

Assume  that  a  sensor  authenticates  a  set  of  locators  LHg  =  LH^  U  LH^,  but 
detects  that  it  is  under  attack. 


-  Step  1:  Sensor  s  broadcasts  a  randomly  generated  nonce  rjs  and  its  IDg. 

-  Step  2:  Every  locator  hearing  the  broadcast  of  sensor  s  replies  with  a  beacon 
that  includes  localization  information  and  the  nonce  rjs,  encrypted  with  the  pairwise 
key  Ks^Li  instead  of  the  broadcast  key  Kq.  The  sensor  identihes  the  locator  L[  that 
replies  hrst  with  an  authentic  message  that  includes  rjs . 

-  Step  3:  Sensor  s  identihes  the  set  LHf  as  all  the  locators  whose  sectors  overlap 
with  the  sector  of  L',  and  executes  SeRLoc  with  LHs  =  LHf. 


The  pseudocode  of  ACLA  is  presented  in  Figure  13.  Note  that  the  closest  locator 
to  sensor  s  will  always  reply  hrst  if  it  directly  hears  the  broadcast  from  s,  and  not 
through  a  replay  from  an  adversary.  In  order  for  an  adversary  to  force  sensor  s  to 
accept  set  LH^  as  the  valid  locator  set,  it  can  only  replay  the  nonce  rjs  to  a  locator 
Li  G  LHl,  record  the  reply,  tunnel  via  the  wormhole  and  replay  it  in  the  vicinity 
of  s.  However,  a  reply  from  a  locator  in  LHl  will  arrive  later  than  any  reply  from  a 
locator  in  LH^,  since  locators  in  LHl  further  away  from  s  than  locators  in  LH^. 

To  execute  ACLA,  a  sensor  must  be  able  to  communicate  bidirectionally  with 
at  least  one  locator.  The  probability  Ps^l  of  a  sensor  having  a  bidirectional  link 
with  at  least  one  locator  and  the  probability  Pm  that  all  sensors  can  bidirectionally 
communicate  with  at  least  one  locator  can  be  computed  as; 


P.s- 


=  1  —  e 


Pbd  =  {l- 


^-piTrr^G^ySI 


(21) 


Hence,  we  can  select  the  system  parameters  G  so  every  sensor  has  a  bidirectional 

link  with  at  least  one  locator  with  any  desired  probability. 
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5.2  Impersonation  (Sybil)  Attack 

An  adversary  can  launch  an  impersonation  attack  against  SeRLoc  or  HiRLoc  if  it 
successfully  impersonates  locators.  Since  sensors  are  pre-loaded  with  valid  locator 
IDs  along  with  the  hash  values  corresponding  to  the  head  of  the  reversed  hash  chain 
for  each  locator,  an  adversary  can  only  impersonate  locators  by  compromising  the 
globally  shared  key  Kq. 

Once  Kq  has  been  compromised,  the  adversary  has  access  to  both  locators  IDs, 
the  hash  chain  values  published  by  the  locators,  as  well  as  the  coordinates  of  the  lo¬ 
cators.  Since  sensors  always  have  the  latest  published  hash  values  from  the  locators 
that  they  directly  hear,  an  adversary  can  only  impersonate  locators  that  are  not  di¬ 
rectly  heard  to  the  sensors  under  attack.  The  adversary  can  generate  bogus  beacons, 
attach  an  already  published  hash  value  from  a  locator  not  heard  by  the  sensor  under 
attack,  and  encrypt  it  with  the  compromised  Kq. 

Depending  on  the  type  of  locators  used,  static  or  mobile,  an  adversary  can  imper¬ 
sonate  locators  in  different  ways.  If  the  locators  are  static  and  their  location  is  known 
before  deployment,  the  coordinates  of  all  locators  can  be  preloaded  to  every  sensor. 
Hence,  the  adversary  cannot  advertise  a  location  that  is  different  from  the  actual  co¬ 
ordinates  of  an  impersonated  locator.  In  such  a  case,  the  Sybil  attack  is  equivalent 
to  a  replay  attack  since  the  adversary  cannot  alter  the  content  of  the  beacons^.  If  the 
locators  are  mobile,  or  their  coordinates  cannot  be  preloaded  to  the  sensors  before 
deployment,  the  adversary  can  place  the  impersonated  locators  to  arbitrary  positions. 
Hence,  by  impersonating  a  higher  number  of  locators  than  the  ones  directly  heard  by 
the  sensor  under  attack,  the  adversary  can  compromise  the  majority  vote  scheme  of 
SeRLoc  and  displace  the  sensor. 

Defense  against  the  Sybil  Attack:  Though  we  do  not  provide  a  mechanism  to  pre¬ 
vent  an  adversary  from  impersonating  locators  except  for  the  ones  directly  heard  by  a 
sensor,  we  can  still  determine  the  position  of  sensors  in  the  presence  of  Sybil  attack. 
In  the  case  where  sensors  know  a  priori  the  coordinates  of  the  locators,  the  sensor 
can  detect  the  Sybil  attack  with  the  same  mechanisms  used  for  the  wormhole  attack, 
since  the  Sybil  attack  becomes  a  beacon  replay.  In  the  case  where  the  coordinates 
of  the  locators  are  not  preloaded  to  the  sensors,  an  adversary  can  manipulate  the 
coordinates  of  the  impersonated  locators,  so  that  neither  of  the  wormhole  defense 
mechanisms  detect  an  anomaly.  The  adversary  needs  to  impersonate  more  than  LHf 
locators  in  order  to  displace  the  sensor  s.  To  avoid  sensor  displacement  we  rely  on 
the  invariability  of  the  locator  deployment  statistics  to  detect  locator  impersonation. 

Since  the  locator  density  pi  is  known  before  deployment,  we  can  select  a  thresh¬ 
old  value  Lmax  as  the  maximum  allowable  number  of  locators  heard  by  each  sensor. 
If  a  sensor  hears  more  than  L^ax  locators,  it  assumes  that  it  is  under  attack  and  ex¬ 
ecutes  ACLA  to  determine  its  position.  The  probability  that  a  sensor  s  hears  more 
than  Lmax  locators  is  given  by; 


^  The  adversary  can  alter  the  angle  information  contained  in  the  beacon.  However,  this  is 
equivalent  to  replaying  the  beacon  of  another  sector. 
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P(  I  iHs  I  >  W  ) 


Fig.  14.  P{\LHs\  >  Lmax),  vs.  Lmax  for  varying  locator  densities  pL-  When  pL  ~  0.03, 
a  choice  of  Lmax  =  46  allows  a  sensor  to  localize  itself  when  under  Sybil  attack  with 
a  probability  P{\LHs\  >  23)  =  0.995,  while  the  false  positive  alarm  probability  is 
P(|L/f,|)46)  =  0.1045. 


P{\LHs\  >  Lmax)  — 


Using  (22),  we  can  select  the  value  of  Lmax  so  that  there  is  a  very  small  prob¬ 
ability  for  a  sensor  to  hear  more  than  Lmax  locators,  while  there  is  a  very  high 
probability  for  a  sensor  to  hear  more  than  locators.  If  a  sensor  hears  more  than 
Lmax  locators  without  being  under  attack,  the  detection  mechanism  will  result  in 
a  false  positive  alarm  and  force  the  sensor  to  execute  ACLA  to  successfully  locate 
itself.  However,  if  a  sensor  hears  less  than  ,  the  sensor  is  vulnerable  to  a  Sybil 
attack.  Therefore,  we  must  select  a  threshold  Lmax  so  that  any  sensor  hears  less  than 
locators  with  a  probability  very  close  to  zero. 

InFigure  14,  we  show  P(|LiLs|  >  Lmax)  vs.  Lmax)  for  varying  locator  densities 
Pl-  Based  on  Figure  14,  we  can  select  the  appropriate  Lmax  for  each  value  of  pl- 
For  example,  when  pi^  =  0.03,  a  choice  of  Lmax  =  46  allows  a  sensor  to  localize 
itself  when  under  Sybil  attack  with  a  probability  P{\LHs  \  >  23)  =  0.995,  while  the 
false  positive  alarm  probability  is  P(|LiLs|)46)  =  0.1045. 


l-P{\LH,\{Lr, 


.)) 


1  - 


-1  {p^^R^y  _ 
2=0 


l\ 


(22) 


5.3  Compromised  Network  Entities 

In  this  section,  we  examine  the  robustness  of  SeRLoc  and  HiRLoc  to  compromised 
network  entities.  We  consider  a  sensor  node  or  a  locator  node  to  be  compromised  if 
an  attacker  assumes  full  control  over  the  behavior  of  the  node  and  knows  all  the  keys 
stored  at  the  compromised  node. 

Compromised  Sensors:  Though  sensors  are  assumed  to  be  easier  to  compromise, 
an  attacker  has  no  incentive  to  compromise  sensors,  since  they  do  not  actively  par¬ 
ticipate  in  the  localization  procedure.  The  only  benefit  in  compromising  a  sensor  is 
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to  gain  access  to  the  globally  shared  key  Kq. 

Compromised  Locators:  An  adversary  that  compromises  a  locator  Li  gains  access 
to  the  globally  shared  key  Kq,  the  pairwise  keys  shared  between  the  locator 

and  every  sensor,  as  well  as  all  the  hash  values  of  the  locator’s  hash  chain.  By  com¬ 
promising  a  single  locator,  the  adversary  can  displace  any  sensor,  by  impersonating 
the  compromised  locator  from  a  position  closer  to  the  sensor  under  attack  compared 
to  the  closest  legitimate  locator.  The  adversary  impersonates  multiple  locators  in 
order  to  force  location  ambiguity  to  the  sensor  under  attack.  Once  the  attack  is  de¬ 
tected,  sensor  s  executes  ACLA  to  resolve  its  location  ambiguity.  Since  the  adversary 
is  closer  to  the  sensor  s  than  the  closest  legitimate  locator,  its  reply  will  arrive  to  s 
hrst.  Hence,  s  will  assume  that  the  impersonated  set  of  locators  is  the  valid  one  and 
will  be  displaced. 

To  avoid  sensor  displacement  by  a  single  locator  compromise,  we  can  intensify 
the  resilience  to  locator  compromise  by  involving  more  than  one  locators  in  the  loca¬ 
tion  resolution  algorithm  at  the  expense  of  higher  communication  overhead.  A  sensor 
s  under  attack,  can  execute  the  Enhanced  Location  Resolution  Algorithm  (ELRA) 
that  follows. 

-  Step  1:  Sensor  s  broadcasts  a  randomly  generated  nonce  77^,  the  set  of  locators 
heard  LHg  and  its  IDs- 

s:  {  p,  II  LHs  II  ID,  }.  (23) 

-  Step  2:  Every  locator  Li  receiving  the  broadcast  from  s  appends  its  coordinates, 
the  next  hash  value  of  its  hash  chain  and  its  ID^^,  encrypts  the  message  with  Kq  and 
re-broadcasts  the  message  to  all  sectors. 

L,  :  {77,11  LH,  II  ID,  II  ||  H'^-\PW,)  ||  ||  j  \\IDl^  }k„.  (24) 

-  Step  3:  Every  locator  receiving  the  rebroadcast,  verihes  the  authenticity  of  the 
message,  and  that  the  transmitting  locator  is  within  its  range.  If  the  verihcation  is  cor¬ 
rect  and  the  receiving  locator  belongs  to  LH,,  the  locator  broadcasts  a  new  beacon 
with  location  information  and  the  nonce  77,  encrypted  with  the  pairwise  key  fT,  i. 
with  sensor  s. 

L,  :  {  77,  II  II  (01,02)  II  H'--\PWi)  II  j  II  IDl^  (25) 

-  Step  4:  The  sensor  collects  the  first  Lmax  authentic  replies  from  locators  and 
executes  SeRLoc  with  LH,  =  L^ax  ■ 

The  pseudocode  for  the  enhanced  location  resolution  algorithm  is  presented  in 

Eigure  15.  Note  that  for  a  locator  to  hear  the  sensor’s  broadcast,  it  has  to  be  within 

1 

a  range  r,^  =  rG  from  the  sensor.  Eurthermore,  in  order  for  a  the  sensor  to  make 
the  correct  location  estimate,  all  locators  within  a  range  R  from  s  need  to  provide 
new  beacon  information. 

Claim.  Every  locator  positioned  within  R  from  a  sensor  s  is  within  the  range  of  any 
locator  positioned  at  a  distance  r,]^  from  the  sensor  s. 
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Enhanced  Location  Resolution  Algorithm  (ELRA) 


s  :  broadcast  {  r;s  ||  LHs  ||  IDs  } 

RLs  =  {Li  :  ||s  —  Li\\  <  Tsl} 

RLs  :  broadcast  {  7?,  ||  LHs  ||  IDs  ||  {Xi,Yi)  ||  ||  j  ||  IDl,  }ko  BLs  = 

{Li  :  ||i?Ls  —  Li||  <  rLh}  fl  LHs 

BLs  :  broadcast  {  77.  ||  {Xi,Yi)  ||  {9^,02)  ||  H^-'^{PWi)  ||  j  ||  IDl, 
s  :  collect  Lmax  authentic  beacons  from  BLs 
s  :  execute  SeRLoc  with  collected  beacons 


Eig.  15.  The  pseudocode  for  the  enhanced  location  resolution  algorithm  (ELRA). 


Proof.  For  any  locator  positioned  at  a  distance  Tsl  from  the  sensor  s  to  reach  any 
locator  positioned  at  a  distance  R  from  sensor  s,  the  following  condition  has  to  hold: 

rLL  >  R  +  TsL- 

RG^  >  R+rG^  ^  (26) 

rG~i 

2  2 

Since  R  >  rG~<  by  assumption,  and  G~<  >1,  the  left  side  of  (26)  is  always  greater 
than  one. 

Each  beacon  broadcast  from  a  locator  has  to  include  the  nonce  rjs  initially  broad¬ 
casted  by  the  sensor  and  be  encrypted  with  the  pairwise  key  between  the  sensor 
and  the  locator.  Hence,  given  that  the  sensor  has  at  least  locators  within  range 
R  with  very  high  probability  (see  Figure  14),  the  adversary  has  to  compromise  at 
least  locators,  in  order  to  compromise  the  majority  vote  scheme  of  SeR¬ 

Loc.  In  addition,  the  attacker  has  to  possess  the  hardware  capabilities  to  process  and 
transmit  -f  l)  replies  before  replies  from  valid  locators  reach  the  sensor 

under  attack.  Our  enhanced  location  resolution  algorithm  significantly  increases  the 
resilience  of  SeRLoc  to  locator  compromise  at  the  expense  of  higher  communication 
overhead  at  the  locators. 


6  Performance  Evaluation 

In  this  section,  we  evaluated  the  performance  of  SeRLoc  and  HiRLoc  with  respect 
to  their  localization  accuracy.  To  emulate  the  conditions  of  a  real  deployment,  we 
also  evaluated  SeRLoc  under  error  in  the  locators’  coordinates  and  false  estimation 
of  the  antenna  sector  that  includes  the  sensors  and  empirically  showed  that  SeRLoc 
is  robust  against  both  sources  of  error. 

6.1  Simulation  Setup 

We  randomly  distributed  5,000  sensors  within  a  lOOxlOOm^  rectangular  area.  We 
also  randomly  placed  locators  within  the  same  area  and  computed  the  average  local¬ 
ization  error  as: 
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Cumulative  Distribution  Function  of  Localization  Error 


(a) 

Fig.  16.  The  cumulative  distribution  function 
M  =  3  and,  (a)  TE  =  A,{h)ZH  =  8. 


Cumulative  Distribution  Function  of  Localization  Error 


(cdf)  of  the  localization  error  of  SeRLoc  when 


(27) 


where  S  is  the  set  of  sensors,  Si  is  the  sensor  estimated  position,  Si  is  the  real  position 
and  r  is  the  sensor-to-sensor  communication  range. 


6.2  Localization  Error  vs.  Locators  Heard 

In  our  first  experiment,  we  investigated  the  impact  of  the  average  number  of  locators 
heard  LH  on  the  localization  error.  In  Figures  16(a)  and  (b),  we  show  the  cumulative 
distribution  function  (cdf)  of  the  localization  error  for  SeRLoc  when  3-sector  anten¬ 
nas  are  used  at  the  locators  and  the  average  number  of  locators  heard  are  LH  =  6 
and  LH  =  8,  respectively.  We  observe  that  for  LH  =  4,  the  error  is  more  evenly 
distributed  among  its  possible  values  with  90%  of  the  sensors  having  an  error  of  less 
than  1.2r,  while  for  LH  =  8,  more  than  90%  of  the  sensors  have  an  error  smaller 
than  0.7r. 

The  highest  localization  error  occurs  when  a  sensor  hears  only  one  locator  Li 
and  is  R  units  away  from  Li.  The  probability  for  such  an  event  to  occur  can  be  set  to 
an  arbitrary  small  value  by  deploying  a  sufficient  number  of  locators.  For  example, 
when  LH  =  8,  the  probability  for  a  sensor  to  hear  just  one  locator  is  P{\LH\  = 
1)  =  2.7x10-3. 

In  Figure  17(a)  we  show  the  ROI  vs.  the  number  of  antenna  rotations,  and  for 
varying  LH,  when  3-sector  antennas  are  used  at  each  locator.  Note  that  the  ROI 
is  normalized  over  the  size  of  the  ROI  given  by  SeRLoc  denoted  by  ROI(l)  (no 
antenna  rotation).  From  Figure  17(a),  we  observe  that  even  a  single  antenna  rotation, 
reduces  the  size  of  the  ROI  by  more  than  50%,  while  three  antenna  rotations  reduce 
the  size  to  ROI  {A)  =  0.12i?O/(l),  when  LH  =  5.  A  reduction  of  50%  in  the  size 
of  the  ROI  by  a  single  antenna  rotation  means  that  one  can  deploy  half  the  locators 
compared  to  SeRLoc  and  achieve  the  same  localization  accuracy  by  just  rotating  the 
locators’  antennas  once.  The  savings  in  locators  are  significant  considering  that  the 
reduction  in  hardware  requirements  comes  at  no  additional  communication  cost. 
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HiRLoc  -  Antenna  orientation  variation  HiRLoc-RV:  Communication  range  variation 


Fig.  17.  Normalized  ROI  vs.  number  of  antenna  rotations  for  varying  LH.  The  ROI  is 
normalized  with  respect  to  the  ROI  acquired  with  no  variation  of  the  antenna  orientation 
(SeRLoc).  (b)  ROI  vs.  number  of  range  reductions  for  varying  LH. 


We  also  observe  that  as  LH  increases,  HiRLoc  provides  diminishing  returns. 
This  is  due  to  the  fact  that  when  the  number  of  locators  heard  at  each  sensor  is  high, 
SeRLoc  already  provides  a  good  location  estimate  (small  ROI)  and,  hence,  the  mar¬ 
gin  for  reduction  of  the  ROI  size  is  limited.  In  Figure  17(b)  we  show  the  normalized 
ROI  vs.  the  number  of  communication  range  reductions,  and  for  different  LH  val¬ 
ues,  when  locators  are  equipped  with  3-sector  antennas. 

From  Figure  17(b),  we  observe  that  the  communication  range  variation,  though 
significantly  improves  the  system  performance,  does  not  achieve  the  same  ROI  re¬ 
duction  as  the  antenna  orientation  variation"^.  This  behavior  is  explained  by  the  fact 
that  the  gradual  reduction  of  the  communication  range  reduces  the  number  of  bea¬ 
cons  heard  at  each  sensor,  in  contrast  with  the  antenna  orientation  variation  case 
where  the  same  number  of  locators  is  heard  at  the  sensors  at  each  antenna  rotation. 
In  addition,  we  observe  that  greater  ROI  reduction  occurs  when  the  LH  at  each 
locator  is  high.  This  is  justified  by  considering  that  a  higher  LH  allows  for  more 
sectors  with  lower  communication  range  to  intersect  and  hence,  smaller  ROI. 

6.3  Localization  Error  vs.  Sector  Error 

Sensors  may  be  located  close  to  the  boundary  of  two  sectors  of  a  locator,  or  be 
deployed  in  a  region  with  high  multipath  effects.  In  such  a  case,  a  sensor  may  falsely 
assume  that  it  is  located  in  another  sector,  than  the  actual  sector  that  includes  it.  We 
refer  to  this  error  as  sector  error  (SE)  defined  as: 

^  ^  #  of  sectors  falsely  estimated 

SE  =  - -.  (28) 


^  The  comparison  is  valid  for  the  same  number  of  LH,  the  same  number  of  antenna  sec¬ 
tors  and  the  same  number  of  variations  in  the  antenna  rotation  and  communication  range, 
respectively. 
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Avg.  LE  vs.  SE  -  8-sector  antenna  Avg.  LE  vs.  SE  -  LH=10 


_  (a)  _  (b)  _ 

Fig.  18.  (a)  LE  vs.  sector  en'or  SE  for  varying  LH.  (b)  Average  localization  error  LE  vs. 

sector  error  SE  for  varying  number  of  antenna  sectors  for  a  network  of  IS'I  =  5,  000  and 

^  =  10. 
r 


A  sector  error  of  0.5  indicates  that  every  sensor  falsely  estimated  the  sectors  of  half 
the  locators  heard.  In  Figure  18(a),  we  show  the  LE  vs.  the  SE  for  varying  LH,  and 
8-sector  antennas.  We  observe  that  the  LE  does  not  grow  significantly  large  (larger 
than  the  sensor  communication  range  r),  until  a  fraction  of  0.7  of  the  sectors  are 
falsely  estimated. 

SeRLoc  is  resilient  to  sector  error  due  to  the  majority  vote  scheme  employed  in 
the  determination  of  the  overlapping  region.  Even  if  a  significant  fraction  of  sectors 
are  falsely  estimated,  these  sectors  do  not  overlap  in  the  same  network  area  and  hence 
a  score  low  in  the  grid-sector  table. 

Note  that  for  a  SE)0.7,  LE  increases  with  LH.  When  the  SE  grows  beyond 
a  threshold,  the  falsely  estimated  sectors  dominate  in  the  location  determination. 
As  LH  grows,  the  falsely  estimated  overlapping  region,  shrinks  due  to  the  higher 
number  of  overlapping  sectors.  Therefore,  the  CoG  that  defines  the  sensor’s  location 
gets  further  apart  than  the  actual  sensor  location. 

In  Figure  18(b),  we  show  the  LE  vs.  SE  for  LH  =  10  and  varying  number  of 
antenna  sectors.  We  observe  that  the  narrower  the  antenna  sector  the  smaller  the  LE, 
even  in  the  presence  of  SE.  For  a  small  SE  the  overlapping  region  is  dominated  by 
the  correctly  estimated  sectors  and  shrinks  with  increasing  antenna  sectors.  For  large 
SE  the  overlapping  region  is  dominated  by  the  false  sectors  and  an  increase  in  LH 
does  not  reduce  the  LE. 


7  Related  Work 

7.1  Related  Work 

An  extensive  literature  exists  for  location  estimation  schemes  for  WSN  in  a  benign 
environment  [4, 10,  12,  25,  27,  31,  34—36].  Recently,  a  number  of  articles  have  ap¬ 
peared  addressing  the  problem  of  sensor  location  estimation  and  verification  in  an 
adversarial  setting  [3,5,7, 14, 17-22,33]. 
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Sastry  et  al.  [33]  proposed  the  ECHO  protocol  for  verifying  the  location  claim 
of  a  node,  using  a  challenge  response  scheme  and  a  combination  of  RF  and  Ultra¬ 
sound  signals.  ECHO  is  based  on  a  distance  bounding  protocol  proposed  by  Brands 
and  Chaum  [3].  Capkun  and  Hubaux  proposed  Verifiable  Multilateration  (VM)  for 
securing  range-based  localization  schemes  [5].  In  VM,  a  node  must  verify  its  distance 
to  at  least  three  reference  points  in  order  to  securely  estimate  its  position.  Capkun  et 
al.  also  proposed  a  location  verification  method  based  on  hidden  reference  points  that 
can  verify  the  validity  of  the  location  claims  of  nodes  [7]. 

Liu  et  al.  [23]  proposed  an  attack-resistant  location  estimation  technique  that  can 
filter  bogus  beacon  information  provided  that  the  majority  of  significant  majority  of 
beacons  is  benign.  Li  et  al.  [21]  discuss  a  variety  of  attacks  specific  to  the  local¬ 
ization  process  and  propose  robust  statistical  methods  that  provide  attack  resistant 
localization.  Finally,  Kuhn  [14]  has  proposed  an  asymmetric  security  mechanism  for 
securing  GPS -like  navigation  signals. 

7.2  Open  Problems 

While  the  schemes  that  have  been  proposed  for  secure  location  estimation  in  WSNs 
[5,7, 17-22, 33]  are  a  significant  step  forward  in  providing  a  transparent  and  secure 
localization  service,  several  problems  remain  open.  The  dependency  of  the  location 
estimation  schemes  to  physical  characteristics  such  as  received  signal  strength  [1], 
time  of  arrival  or  time  difference  of  arrival  [27, 34],  allows  side-channel  attacks  not 
related  to  the  strength  of  the  cryptographic  primitives  used  to  secure  the  communi¬ 
cation  [19,21,22]. 

To  combat  side-channel  attacks  a  series  of  consistency  checks  have  been  pro¬ 
posed  [17-19,22].  It  remains  an  open  problem  which  of  the  modalities  of  a  sensor 
network  used  to  detect  attacks  against  the  localization  process  are  invariant  to  side- 
channel  attacks.  The  ability  of  an  adversary  to  alter  the  physical  properties  used  for 
localization  and  distort  the  environment  can  significantly  impact  the  localization  ac¬ 
curacy. 

Furthermore,  current  secure  location  estimation  techniques  do  not  provide  any 
guarantee  on  the  localization  accuracy.  The  analytical  evaluation  of  the  localiza¬ 
tion  error  in  the  presence  of  adversaries  is  a  problem  requiring  further  investiga¬ 
tion.  Finally,  most  secure  localization  schemes  studied  localization  for  static  sensor 
networks.  Securing  the  location  estimation  process  when  the  reference  points,  the 
sensors  or  both  are  mobile  remains  an  open  problem. 


8  Conclusion 

In  this  chapter,  we  have  studied  the  problem  of  location  estimation  for  WSN  in 
an  adversarial  environment.  We  have  demonstrated  a  series  of  attacks  relevant  to 
range-independent  localization  methods,  such  as  the  relay  attack,  the  impersonation 
attack  and  compromise  of  reference  points.  We  showed  that  securing  the  location 
estimation  process  requires  not  only  securing  the  communication  link  between  the 
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reference  points  and  the  sensors,  but  also  additional  non-cryptographic  consistency 
checks  based  on  invariant  properties  such  as  the  communication  range  or  the  network 
deployment  statistics. 

We  proposed  a  range-independent,  decentralized  localization  scheme  called  SeR- 
Loc  that  allows  sensors  to  determine  their  location  in  an  untrusted  environment.  We 
also  proposed  HiRLoc,  a  secure  location  estimation  algorithm  that  relies  on  the  su¬ 
perposition  of  location  information  over  time  to  improve  the  location  estimation  ac¬ 
curacy.  We  analytically  evaluated  the  probability  of  sensor  displacement  due  to  secu¬ 
rity  threats  in  WSNs  such  as  the  wormhole  attack,  the  Sybil  attack,  and  compromise 
of  network  entities  and  showed  that  SeRLoc  and  HiRLoc  provide  accurate  location 
estimation  even  in  the  presence  of  these  threats.  In  doing  so,  we  used  the  geometric 
and  radio  range  information  to  detect  the  attacks  on  the  localization. 

Our  performance  evaluation  studies  showed  that  our  algorithm  are  resilient  to 
sources  of  error  such  as  location  error  of  reference  points  as  well  as  error  in  the 
sector  determination.  We  identified  the  integration  of  new  modalities  for  consistency 
checks,  the  analytical  evaluation  of  the  location  estimation  error  in  the  presence  of 
adversaries  and  the  secure  location  estimation  for  mobile  sensor  networks  as  areas 
of  future  research. 
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